[mdeslaur]

Proposed patch for CVE-2014-7169 here:

http://www.openwall.com/lists/oss-security/2014/09/25/10

I am building bash updates for Ubuntu containing the proposed fix here and will publish them once the fix has been made official:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubu...

[rst]

I'm wondering if it wouldn't be possible to still support "export -f" while making it harder for attackers to fake it out. For example, if "export -f foo" put the function body in an environment variable named "BASH_EXPORTED_FUNC_foo", instead of just "foo", then the next bash, on startup, wouldn't have to even attempt function-body parsing on environment variables which lack that prefix, including a lot of the currently trumpeted attack vectors (SSL_whatever, HTTP_whatever, TERM, SSH_ORIGINAL_COMMAND, etc.)

This wouldn't be complete mitigation, and isn't a substitute for the current patches, but it could possibly reduce the attack surface for exploit of any similar remaining problems.

(I can imagine that someone, somewhere, as added an "export -f" env var to an AcceptEnv whitelist, or some such thing, and would need to change it, but that's probably a very rare situation.)

(Edited for clarity.)

[sandstrom]

For anyone landing here, mdeslaur and the Ubuntu team has now released a patch for CVE-2014-7169.

http://www.ubuntu.com/usn/usn-2363-1/

[wiredfool]

Debian stable is out as well.

[philipn]

Possibly stupid question, but won't Ubuntu also publish these as soon as the fix is made available as well?

[rlpb]

mdeslaur is an Ubuntu security engineer.

[philipn]

Ahah, okay, makes sense. Thanks!

And THANK YOU SO MUCH for all your amazing work on this stuff, mdeslaur!

[jballanc]

If you're following the instructions here: http://apple.stackexchange.com/questions/146849/how-do-i-rec...

...then this patch needs to be modified (different line numbers) before it can be applied to the Apple version of bash:

    --- parse.y.old 2014-09-25 13:42:17.000000000 +0300
    +++ parse.y    2014-09-25 13:41:39.000000000 +0300
    @@ -2503,6 +2503,8 @@
       FREE (word_desc_to_read);
       word_desc_to_read = (WORD_DESC *)NULL;
    
    +  eol_ungetc_lookahead = 0;
    +
       last_read_token = '\n';
       token_to_read = '\n';
     }

Testing locally, this appears to mitigate both known (so far) vulnerabilities.

[makmanalp]

Steps to get the partial patch on ubuntu:

  sudo add-apt-repository ppa:ubuntu-security-proposed/ppa
  sudo apt-get update
  sudo apt-get upgrade

unattended auto upgrades from that PPA:

  sudo apt-get install unattended-upgrades
  dpkg-reconfigure unattended-upgrades

then go to /etc/apt/apt.conf.d/50unattended-upgrades and add a line to allowed-origins that looks like

  "LP-PPA-ubuntu-security-proposed:precise"

Also make sure distro-codename-security is uncommented, and comment out the -updates one if you want. Then do this to make sure it all works:

  sudo unattended-upgrades --dry-run --debug